[Am-info] MyGuestbook Script Injection Vulnerability
Fred A. Miller
fm@cupserv.org
Mon, 6 May 2002 16:46:12 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
MyGuestbook Script Injection Vulnerability
BugTraq ID: 4651
Remote: Yes
Date Published: Apr 30 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4651
Summary:
MyGuestbook is freely available guestbook software. It will run on most
Unix and Linux variants, as well as Microsoft Windows operating systems.
MyGuestbook does not adequately filter HTML tags from various fields.
This may enable an attacker to inject arbitrary script code into pages
that are generated by the guestbook.
The attacker's script code may be executed in the web client of arbitrary
users who view the pages generated by the guestbook, in the security
context of the website running the software.
Attackers may potentially exploit this issue to hijack web content or to
steal cookie-based authentication credentials.
- --=20
Fred A. Miller
Systems Administrator
Cornell Univ. Press Services
fm@cupserv.org, www.cupserv.org
- --- SuSE Linux v8.0 Pro---
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAjzW65UACgkQB9vk4ichYXdcyQCfYWigDq6CvYu1mruicOp9iQa5
FZ4AnjIIwQgIryGQzuZr+u1Hstr6NIab
=3D6vBS
-----END PGP SIGNATURE-----